On 20 May 2015 at 18:57, Andrew Rowley <[email protected]> wrote: > Digitally signing software is pretty common on other platforms - and I think > is at least possible on z/OS. > > Windows puts obstacles in your path if you want to install software that is > NOT digitally signed. As another example, Jar files can be digitally signed.
Program Objects on z/OS can be signed by the Binder, and verified when the program is loaded. The problem is that -- unlike Windows -- it is an ongoing tradition to ship what SMP/E calls modules, and which are usually individual object modules rather than complete replacement load modules or program objects. These are further processed on the target system to create complete executable programs. So it's not clear where the signing and verification would be done. > In fact why not require digital signatures as part of SMP/E packaging, so > RECEIVE fails without a > valid signature? Maybe even sign PTFs etc. individually, unless the overhead > of individual checking > would be too high (I suspect it would be undetectable in the background of > normal SMP/E > processing.) Add a BYPASS SIG option to get around the check. I'm slightly > surprised that it isn't > already done. Indeed it doesn't sound too hard to adapt the existing SHA-1 hashing for GIMZIP packages to use an actual signature rather than just an integrity check. But then there's a whole infrastructure needed, some of which is in place, but which needs a thoughtful design rather than a rush implementation. Do I hear Lynn Wheeler chipping in...? Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
